BlueScale Encryption User Guide

(1)

User Guide

(2)

associated documentation on an “AS IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUD-ING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, BOTH OF WHICH ARE EXPRESSLY DISCLAIMED. In no event shall Spectra Logic be liable for any loss of profits, loss of business, loss of use or data, interruption of business, or for indirect, special, incidental or consequential damages of any kind, even if Spectra Logic has been advised of the possibility of such damages arising from any defect or error.

Information furnished in this manual is believed to be accurate and reliable. However, no responsibility is assumed by Spectra Logic for its use. Due to continuing research and development, Spectra Logic may revise this publication from time to time with-out notice, and reserves the right to change any product specification at any time withwith-out notice.

If you do not agree to the above, do not use the Spectra library; instead, promptly contact Spectra Logic for instructions on how to return the library for a refund.

License

You have acquired a Spectra library that includes software owned or licensed by Spectra Logic from one or more software licensors (“Software Suppliers”). Such software products, as well as associated media, printed materials and “online” or electronic documentation (“SOFTWARE”) are protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties.

If you do not agree to this end user license agreement (EULA) or to the terms and conditions under Notices above, do not use the Spectra library; instead, promptly contact Spectra Logic for instructions on return of the Spectra library for a refund. Any use of the Software, including but not limited to use on the Spectra library, will constitute your agreement to this EULA (or ratification of any previous consent).

Grant of License. The Software is licensed on a non-exclusive basis, not sold. This EULA grants you the following rights to the

Software:

• You may use the Software only on the Spectra library.

• Not Fault Tolerant. The Software is not fault tolerant. Spectra Logic has independently determined how to use the Software in

the Spectra library, and suppliers have relied upon Spectra Logic to conduct sufficient testing to determine that the Software is suitable for such use.

• No Warranties for the SOFTWARE. The Software is provided “AS IS” and with all faults. The entire risk as to satisfactory

qual-ity, performance, accuracy, and effort (including lack of negligence) is with you. Also, there is no warranty against interference with your enjoyment of the Software or against infringement. If you have received any warranties regarding the SOFTWARE, those warranties do not originate from, and are not binding on Software suppliers.

• Note on Java Support. The Software may contain support for programs written in Java. Java technology is not fault tolerant and

is not designed, manufactured, or intended for use of resale as online control equipment in hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communications systems, air traffic control, direct life support machines, or weapons systems, in which the failure of Java technology could lead directly to death, personal injury, or severe physical or environmental damage.

• No Liability for Certain Damages. Except as prohibited by law, Software suppliers shall have no liability for any indirect,

spe-cial, consequential or incidental damages arising from or in connection with the use or performance of the Software. This limi-tation shall apply even if any remedy fails of its essential purpose. In no event shall Software suppliers, individually, be liable for any amount in excess of U.S. two hundred fifty dollars (U.S. $250.00).

• Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or

disas-semble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

• Software Transfer Allowed with Restrictions. You may permanently transfer rights under this EULA only as part of a

perma-nent sale or transfer of the Spectra library, and only if the recipient agrees to this EULA. If the Software is an upgrade, any transfer must also include all prior versions of the Software.

• Export Restrictions. Export of the Software from the United States is regulated by the Export Administration Regulations (EAR,

15 CFR 730-744) of the U.S. Commerce Department, Bureau of Export Administration. You agree to comply with the EAR in the export or re-export of the Software: (i) to any country to which the U.S. has embargoed or restricted the export of goods or services, or to any national or any such country, wherever located, who intends to transit or transport the Software back to such country; (ii) to any person or entity who you know or have reason to know will utilize the Software or portion thereof in the design, development or production of nuclear, chemical, or biological weapons; or (iii) to any person or entity who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government. You warrant and represent that neither the BXA nor any other U.S. federal agency has suspended, revoked or denied your export privileges. For additional information see http://www.microsoft.com/exporting/.

(3)

Chapter 1. Introduction

About This Guide . . . 7

Shipped Items . . . 9

BlueScale Encryption Overview

Chapter 2. Encryption Architecture & Strategies

BlueScale Encryption Overview . . . .11

Site-Specific Decisions . . . .11

Best Practices . . . 16

Site Security Example: Low Security Site . . . 20

Site Security Example: Medium Security Site . . . 21

Site Security Example: High Security Site . . . 22

Before You Begin Installation . . . 23

Summary: Mandatory Security Procedures . . . 24

Spectra T950 and T120 BlueScale Encryption

Chapter 3. Installing and Activating Encryption in Spectra T950 and T120 Libraries

Installing Encryption: Upgrading Your Library . . . 27

Activating Encryption . . . 28

(4)

Chapter 4. Using Standard Edition in Spectra T950 and T120 Libraries

Using Encryption . . . 30

Configuring Encryption . . . 30

Creating an Encryption Key . . . 33

Assigning a Key to a Partition . . . 35

Protecting Keys . . . 37

Deleting a Key . . . 40

Restoring Data . . . 40

Chapter 5. Using Professional Edition in Spectra T950 and T120 Libraries

Professional Edition Overview . . . 46

Protecting Keys . . . 57

Deleting a Key . . . 67

Chapter 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries

Recycling Media . . . 68

(5)

Spectra T50

BlueScale Encryption

Chapter 7. Installing and Activating Encryption in Spectra T50 Libraries

Installing Encryption: Upgrading Your Library . . . 72

Activating Encryption . . . 73

Next Steps . . . 75

Encryption Icon . . . 76

BlueScale Encryption Editions . . . 77

Data to Encrypt . . . 79

Getting Started . . . 80

Media Recycling . . . 80

Best Practices . . . 81

Chapter 8. Using Standard Edition in Spectra T50 Libraries

Recycling Encrypted Media . . . 98

Chapter 9. Using Professional Edition in Spectra T50 Libraries

Professional Edition Overview . . . 101

(6)

EDU

and

BlueScale Encryption Support

Chapter 11. Endura Decryption Utility

Endura Decryption Utility Overview . . . 124

Requirements . . . 124

Decrypting Data: EDU Command Line . . . 125

Using EDU to Decrypt Data: One Drive . . . 126

Using EDU to Decrypt Data: Two Drives . . . 128

Chapter 12. Technical Support & Spectra Logic Contact Information

BlueScale Encryption Support . . . 130

Contacting Spectra Logic . . . .131

(7)

About This Guide

This guide contains information about BlueScale Encryption for Spectra T950, T120, and T50 libraries. This reviews information on the configuration and use of encryption. Note that the encryption procedures for the Spectra T950 and T120 libraries cover both library-based and drive-based encryption; the Spectra T50 library supports drive-based encryption only. The guide has been divided into the following sections:

BlueScale Encryption Overview on page 10 reviews both encryption best practices and information on using BlueScale Encryption and key management on your site, and includes a short glossary.

Spectra T950 and T120 BlueScale Encryption on page 26 reviews using Spectra T950/T120 BlueScale Encryption and key management.

Spectra T50 BlueScale Encryption on page 71 reviews using Spectra T50 BlueScale Encryption and key management.

EDU and BlueScale Encryption Support on page 123 reviews an optional utility that lets you recover data without a library; this section also provides support information.

Intended Audience

(8)

Related Publications

This guide outlines the configuration and use of BlueScale Encryption software in your Spectra library.

For detailed information on the configuration and use of the library itself, see the Spectra Logic publications specific to your library.

• The library’s user guide describes the configuration and use of the library, including specifications and troubleshooting information.

• The library’s release notes provide the most up-to-date information about the library, drives, and media.

The most up-to-date versions of all library documentation are available on Spectra Logic’s Web site at www.SpectraLogic.com.

Conventions Used in this Guide

Important information is called out as follows:

Note: Provides additional points or suggestions.

Caution:Provides information about how to avoid damage to equipment. Warning: Describes ways to avoid personal injury.

A caret (>) describes a series of menu selections. For example: Select Configuration > Network

means

(9)

Shipped Items

The following items are included with the purchase of BlueScale Encryption: • One encryption activation key

• One software support agreement • This user guide

• One t-shirt

(10)

(11)

BlueScale Encryption Overview

BlueScale Encryption is tightly integrated into your Spectra library. Encryption can be handled through the library’s encryption-enabled Quad Interface Processors (QIPs), if any are in use, and through LTO-4 drives working with LTO-4 media. BlueScale encryption key management is provided through the library’s graphical interface.

If a single library has encryption-ready QIPs and LTO-4 drives installed, both can be used for encryption. Set up an encryption-enabled partition for each.

The system is based on two major components:

• The encryption chip on the QIP or LTO-4 drive. By implementing encryption in both types of hardware, the encryption is extremely fast and places no burden on your network. • Key management software through the library’s graphical interface. The interface displays

using the library’s touch-screen front panel Library Controller (LC). It also displays from anywhere through the Web, using a Web browser to display the Remote Library Controller (RLC). Optionally, you can secure the Web browser using SSL, which is part of the

Telescope suite of management tools.

Together, these components let you easily implement the strongest encryption available, as recognized by the federal government: AES encryption using a 256-bit key. BlueScale Encryption incorporates multiple layers of security, some of which are discussed in this chapter. Others are technically implemented and invisible to the user.

Site-Specific Decisions

To determine a BlueScale Encryption strategy appropriate for your site and your data, decide on the security level appropriate for your site, and the amount and kinds of data to encrypt. Then you can make some choices about how best to implement BlueScale Encryption.

(12)

BlueScale Encryption: Standard Edition vs. Professional Edition

All data encrypted using BlueScale Encryption and Key Management—Standard and Professional Editions, and LTO-4 drive-based encryption—is secured by the strongest

available encryption method, AES-256. Through BlueScale Encryption and Key Management, you have additional choices in defining the level of security you can implement in your data center. Whether to implement BlueScale Standard Edition or Professional Edition is your first choice.

Feature Standard Edition Professional Edition

Keys - Single encryption key on a library at a time

- Easier to manage and track

- Multiple simultaneous encryption keys (maximum is 30 keys)

- More secure, with a key for each of multiple data sets

Encryption Login Passwords

- Single encryption password - Easier to manage and track

- Choice of either one encryption password or three - More secure, with the option of requiring multiple

users to export and import keys, etc. Key Export and

Import

- Import and export functions require a single password - Easier to manage

- Choice of single password or M-of-N shares with multiple passwords to export/import keys - More secure

Compression a

a. If you are using drive-based encryption, compression is handled through the drive. Further references to compression in this manual apply to library-based, not drive-based, encryption.

- Not available for QIP-based encryption

- Available for QIP-based encryption Compatibility

between Versions

- Data encrypted using either version can be decrypted by a library running the other version.

- Data encrypted and compressed by a library using LTO-4 drives, Professional Edition, or both, can be decrypted and decompressed by a library running Standard Edition. Summary - Less secure, but less to manage - Fewer tapes through compression

(13)

BlueScale Standard Edition

For sites with a primary goal of securing data while it is transported to a remote site and stored there, or only for data that will be stored for a long period of time, BlueScale Standard Edition works well.

For information about configuring and using BlueScale Encryption Standard Edition, see Chapter 4. Using Standard Edition in Spectra T950 and T120 Libraries on page 30.

BlueScale Professional Edition

For sites that want to implement compression along with greater flexibility and security, to protect data wherever it’s stored and regardless of the retention period, BlueScale Encryption Professional Edition works well.

For information about configuring and using BlueScale Professional Edition, see Chapter 5. Using Professional Edition in Spectra T950 and T120 Libraries on page 45.

Security on Initialization

Both editions of BlueScale Encryption give you security options at library startup. Choose whether to start the library:

• In standard mode, so that at library startup, data is encrypted with no further action required.

• In secure initialization mode, so that at startup, drives are not automatically enabled; encryption is only available and backups only run after a superuser has logged in and the encryption password is entered.

(14)

Multiple Encryption Password Support

The Standard Edition of BlueScale Encryption supports one encryption password.

The Professional Edition of BlueScale Encryption lets you choose whether to support one encryption password, or three encryption passwords that enforce another level of security. If you choose to implement the triple-password option, then:

• Three different passwords must be entered when configuring encryption.

• Any one of the three passwords must be entered to enable encryption when the library is in Secure Initialization mode.

• Any one of the three passwords must be entered to access encryption key management and configuration options, excluding key import and export.

• Two of the three passwords must be entered to import and export keys.

Data to Encrypt

Decide whether to encrypt all data or a subset; then determine if the encrypted data can be grouped together or if it must be isolated into sets. For example, your site may store financial data as one set, separate from consumer identity information.

If all data can be encrypted together, the library requires only a single, encryption-enabled partition. Otherwise, create multiple encryption-enabled partitions, one for each set of data, and one or more partitions for data that is not to be encrypted.

Users with Professional Edition typically set up multiple partitions, each with its own key. For example, if you are encrypting all your data, you only need one partition. If you are encrypting only some of your data, create a partition dedicated to encryption along with a non-encryption partition. If you want to keep your encrypted data sets isolated, create an encryption-enabled partition for each encrypted data set, along with non-encryption partitions as needed.

Note: Implementing encryption after the library has been configured to

handle encryption simply requires creating backup jobs with your backup software, which sends data to the proper partitions. Data is automatically encrypted as it is backed up.

(15)

Encryption Methods

Choose how to encrypt data. You can use encryption-enabled QIPs, LTO-4 drives, or both to encrypt data. With QIPs, the library handles encryption, and can encrypt data written to any tape type (such as LTO-3 and SAIT). With LTO-4 drives, the drive handles encryption, and encrypts data written to LTO-4 tapes.

Note: If a partition uses LTO-4 drive-based encryption, the library can load

LTO-3 media into that partition. However, attempts to write to LTO-3 media fail. Note that LTO-4 drives can successfully read data on LTO-3 tapes.

Further, if an encryption-enabled QIP and a Fibre Channel LTO-4 drive share a partition, you can only encrypt data using the LTO-4 drive.

To decrypt data encrypted using a QIP, use a partition with QIP-based encryption. To decrypt data encrypted using an LTO-4 drive, use a partition with drive-based encryption.

Only one encryption key is allowed per LTO-4 tape. Once you stop using that key, you can no longer directly encrypt data to any LTO-4 tape that stores data encrypted using the old key. To write encrypted data using a different key, you must first recycle the tape. Recycling media is easily managed through BlueScale Encryption Key Management.

LTO-4 Media Recycling

LTO-4 tapes can store only data encrypted using a single key. If you have an LTO-4 tape storing data encrypted using a different key, or encrypted using a QIP, you have to recycle the tape before you can re-use it in an encryption-enabled LTO-4 drive.For more information about recycling media using a T950 or T120 library, refer to Chapter 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries on page 68. For more information about recycling media using a T50, refer to Chapter 10. Recycling Encrypted Media in Spectra T50 Libraries on page 119.

(16)

Best Practices

To effectively use BlueScale Encryption and to ensure data security, plan an encryption strategy and back it up with processes and best practices. Once you’ve implemented BlueScale Encryption, which always uses the strongest keys (AES-256), build custom strategies based on your security requirements. As stated in the NIST publication Recommendation for Key Management1_:

“Ultimately, the security of information protected by cryptography directly depends on [...] the effectiveness of [...] protocols associated with keys, and the protection afforded the keys.”

Sound key management policies and procedures and appropriate staff are essential to successful encryption.

People

Identify the people on your site who are responsible for backing up data. They will be responsible for encrypting data written to tape and to other portable media, such as mobile RXT®_{Media packs. Identify:}

• The person to have superuser privileges on the Spectra Logic library with BlueScale Encryption.

• The person to have the library’s encryption password.

Next, identify how many users are to have responsibilities that involve encryption. It may be wise to have more than a single user familiar with passwords, depending on the size of your organization, so that if one person is not available, another can take over. Make sure only the authorized users know the encryption passwords, and that the passwords themselves are secure. Refer to Passwords and Other Identifiers on page 19 for more information on setting up passwords and monikers.

1. Barker, Elaine, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for Key Management Part 1: General. NIST Publication 800-57, 2005, p. 25

(17)

Processes

On an organizational level, you need to identify the level of security your site requires, and the data to be encrypted—for example, you may choose to encrypt all data, or any combination of financial, identity-related information, and strategic data.

Consider the following when establishing your encryption procedure:

• Determine the level of security to use at startup. Both editions of BlueScale encryption permit a standard mode and a secure initialization mode, described in Security on Initialization on page 13.

• Identify any data sets that must be isolated from other encrypted data sets, described in Data to Encrypt on page 14.

• Identify when to make copies of encryption keys. AES-256 encryption, a symmetric encryption method, is a private key method. Users must track each key, which BlueScale Encryption identifies only by a nickname, or moniker. The key itself is never displayed, and is encrypted prior to export. Best practices dictate that you make copies of the key immediately following the key’s creation.

• Identify the number of copies to make of each key, and note the location of each key copy. Consider storing multiple copies of keys, that you then track carefully, storing the copies away from the data encrypted using those keys. It is important to make sure that at least one copy of each key is secure and readable (that is, uncorrupted), to make sure you can restore your data. This is important in that keys, once deleted, are not recoverable—and once the key is gone, the data is inaccessible; this is typically considered deleted for legal and practical purposes.

• Identify the key rotation plan—how often to create and use new keys. BlueScale

Encryption Standard Edition stores one key on the library at a time. Professional Edition permits multiple keys per library, with a one key per encryption-enabled partition. In Standard Edition, you must delete the key currently on the library before you can create another key.

• Before you delete a key, make sure that at least one copy has been exported and stored securely.

(18)

• Identify methods of tracking user passwords, key passwords and monikers. If the data is stored on a computer, make sure it is stored on a computer that enforces encryption and is not available on a network.

• Optionally, identify a primary and secondary team, so that you have redundancy in your encryption strategy. Although that means the information required to decrypt data is spread across more people, it also means that restoration of encrypted data may be much easier, and you may ultimately have more data protection given the extra layer of

coverage; for example, if a user leaves, you aren’t in a position to lose data. This returns to your initial decisions on how tightly and in what manner to enforce security for your site. • Run drills confirming that your data is being encrypted properly, that keys are stored

properly, and that you can recover your data efficiently. Make sure that these drills are included with your overall organizational security strategy.

• Create procedures to handle encrypted data that has been, or may have been,

compromised. For example, you may want to take all data and decrypt it, then re-encrypt it and store it in an alternate location. You will also need to investigate the incident

involving compromised data, and take appropriate actions if identity-related data may have been exposed.

• Archive the Endura Decryption Utility (EDU) for emergency use, such as to recover from a disaster. Use this utility if you have no Spectra Logic libraries on hand but need to decrypt and write data, which you can then restore using backup software.

• If you are using Professional Edition and multiple keys, make sure that data stored to one tape shares a common expiration date or period (e.g., fourth quarter), regardless of the number of keys used to encrypt data written to the tape. This simplifies tape management and re-use.

• If you are using Professional Edition, make sure that critically important data is stored using a single key on its own tape, to simplify restoration in case of disaster recovery and to achieve business continuity goals.

• If you are using Professional Edition, you may want to take advantage of the M-of-N shares option. This lets you select the M-of-N (such as 2 of 3) option to split a single file of encrypted key data into multiple parts, or shares (N, which in this example is 3), and then requires some specified subset (M, which in this example is 2) to import the file containing key data. This further protects data from unauthorized use.

(19)

Passwords and Other Identifiers

BlueScale Encryption requires that you supply passwords and monikers (key names). Your site may want to consider whether specific rules govern these.

Superuser Login/Encryption Passwords Passwords are standard user security that restrict

access. Spectra Logic BlueScale Encryption requires that a superuser is logged in, then an encryption password is supplied. A Professional Edition feature lets you optionally require two of three different encryption passwords to be entered. The passwords involved with all editions of BlueScale Encryption are:

• Superuser Password: Lets you access all administrative privileges except encryption privileges. To access encryption features, the superuser must be logged in prior to entering the encryption password.

• Encryption Password: Lets you access encryption features. This password must be entered after the superuser login; then you can select Security --> Encryption to display the encryption password screen.

• Import/Export Key Password: Lets you import and export encryption keys. This feature is only available after the superuser has logged in and the encryption password has been entered. Optionally, in Professional Edition, you can require two different passwords prior to importing and exporting keys.

Password(s) for Key Import and Export Passwords are also used to encrypt keys for export.

Your site may consider whether to create different rules for these passwords, such as requiring that these passwords are longer than the encryption access password(s), and therefore more secure.

Monikers Your site may want to create rules governing naming conventions for key

monikers, an alphanumeric identifier used to refer to the never-revealed true key value, which is a 256-bit key.

Password and Naming Standards Examples Create password and naming standards, in part

again depending on your site’s security requirements. For example, your site may require a high level of security for access to encryption partitions, in which case you need to require some combination of the following:

• A long password

(20)

Site Security Example: Low Security Site

Description of organization: Small company with 75 employees.

Security Considerations

Security goals Protecting company from legal liability associated with unauthorized access to data stored on tape, both onsite and offsite, including transport to the offsite location. Encryption principals IT administrator, company president, corporate legal counsel.

Data to encrypt Financial and consumer identity data. Level of security to

implement

BlueScale Standard Edition: single key per library is sufficient.

Standard initialization mode: encryption partitions are enabled at all times. Data sets requiring

isolation

None. A single partition for encrypted data is sufficient.

Key escrow method Staff at company will escrow keys at a site remote from the data storage location. Copies of each key to

store and their locations

Keep three copies of each key: one with the senior IT administrator, one with the company president, one in a corporate safety deposit box.

Key rotation plan Create a new key every six months. Tracking key monikers

and passwords

On a non-networked computer that supports encryption, create one or more charts or lists with this data, including key moniker, dates used, encryption and superuser passwords, and password used to encrypt exported key. (Because BlueScale prompts for the required encryption key moniker when restoring encrypted data, this company chose not to track monikers and their relationship to media.) Multiple encryption

teams (optional)

Deemed unnecessary given the users already identified as those responsible for encryption.

Schedule and run drills Formalized approach deemed unnecessary. Instead, incorporate review of data decryption into standard six-month check to make sure that backups and restores are working properly. This now includes a test involving data decryption.

Passwords • Password to access encryption features: minimum of 12 characters, including at least one number and one letter

• Password to export and import encryption keys: minimum of 30 characters, including at least one number and one letter

(21)

Site Security Example: Medium Security Site

Description of organization: Medium-sized organization with 250 employees.

Security Considerations

Security goals Protecting company from legal liability associated with unauthorized access to data stored on tape onsite and offsite, including transport to the offsite location. Encryption principals IT senior staff, chief operating officer.

Data to encrypt Intellectual property, financial, customer, and inventory data. Level of security to

implement

• BlueScale Professional Edition, with multiple keys

• Standard initialization mode: encryption partitions enabled at start-up • Multi-user mode, with three encryption passwords

Data sets requiring isolation from other encrypted data

Separate partitions and keys for these data sets: financial data, inventory data, customer data, and intellectual property data. With this requirement, the site must use a minimum of four encryption-enabled partitions, along with partition(s) for non-encrypted data.

Key escrow method Store key copies with corporate legal counsel and a paid, trusted, third-party escrow service.

Number of copies of each key to store, and locations

Keep three copies of each key: store one with corporate legal counsel, two with the key escrow service.

Key rotation plan Create a new key every quarter for each partition dedicated to encryption. Tracking key monikers,

exported key passwords, and password to permit access to encryption features

Send to key escrow service an encrypted document that includes the password used to access encryption features, superuser password, and all passwords necessary to import encryption keys. This file cannot be created or stored on a networked computer. Delete file from computer after the document or file is transmitted securely to key escrow service.

Multiple encryption teams Three IT administrators, along with the senior IT admin and the COO. Schedule and run drills Annual evaluation and review, along with wider corporate security plan. Passwords • Passwords to access encryption features: minimum of 12 characters,

including at least one number and one letter

(22)

Site Security Example: High Security Site

Description of organization: Enterprise organization.

Security Considerations

Security goals Protecting all stored data.

Encryption principals IT senior staff, chief operating officer, chief security officer, chief technology officer. Data to encrypt All.

Level of security to implement

• BlueScale Professional Edition, with multiple keys

• Secure Initialization Mode: After library power is turned on, encryption user must enter password to enable partitions dedicated to encryption

• Multi-user mode, with three encryption passwords. Data sets requiring

isolation

Each data set is separately keyed, as defined by the department generating data. Key escrow method Store key copies with two remote corporate legal counsel offices and also with a

paid, trusted third-party escrow service. Copies of each key to

store, and the stored key locations

Keep three copies of each key: one to the main office of corporate legal counsel, two to the key escrow service.

Key rotation plan Create a new key every month for each partition dedicated to encryption. Tracking key monikers

and passwords

Send to the key escrow service an encrypted file with encryption access passwords and superuser passwords. Send to corporate legal office a list of passwords used to export keys. Files with this data cannot be created or stored on a networked computer; delete file or files from computer once data is transmitted securely. Multiple encryption

teams (optional)

Senior IT admin, chief operating officer, chief security officer, chief technology officer.

Schedule and run drills Quarterly evaluation and review, in conjunction with wider corporate security plan. Passwords • Passwords to access encryption features: minimum of 15 characters, including at

least one number and one letter

• Password to export and import encryption keys: minimum of 40 characters, including at least one number and one letter

(23)

Before You Begin Installation

Glossary

AES-256: Advanced Encryption Standard (AES) algorithm that uses a 256-bit key. AES is the

NIST-approved encryption algorithm that is used by the federal government and that is being broadly adopted.

BlueScale: Software available on Spectra Logic libraries that supports library intelligence

along with the Spectra Logic encryption solution and key management.

Cleartext: Text that is not encrypted.

EDU: Endura Decryption Utility is a command-line data decryption utility that can be installed

on any computer running the Linux operating system, to be used if no Spectra library is available at time of data decryption and restoration. To use EDU, attach the recommended two tape drives to the Linux host running the utility, then use EDU to decrypt data from the encrypted tape and write the decrypted data back to tape. If you have only one tape drive, make sure that the Linux host has enough available disk space to store the data as it’s decrypted from the tape. Once the data is decrypted and written to tape, it can then be restored using backup software.

Endura Decryption Utility: See EDU.

Endura Key Management: The software that permits encryption key creation, deletion, and

management, all within the library. Use the library front panel or a Web browser to manage the library and encryption.

Moniker: The nickname an administrator assigns to an encryption key. This moniker hides

the true value of the key, while still giving administrators a method of managing and referring to the key.

NIST: National Institute of Standards and Technology.

Partition: A logical library; that is, a part of a physical library that appears to the external

(24)

Summary: Mandatory Security Procedures

The most important key management tasks are:

• Always make two or more copies of each key. The key must be protected, but it must also be available. If you choose to store only a single copy of a key, and then something happens to the device storing the key, you’ve lost both your key and all data encrypted using the key.

To emphasize: if you lose the key, your data is unrecoverable. You need to balance the number of copies of the key to store to guarantee access to the encrypted data against the security risk associated with storing multiple keys. Make sure that the key has been successfully stored prior to removing a key from the library.

• Store keys in a location apart from the location used to store the data encrypted using one of the keys.

• Create a list of every password associated with each key and securely store the list. Never keep this list as cleartext on a networked computer, or send it through email as cleartext, etc. To decrypt and restore data, you need the data, key, and password protecting the key and data.

• Track every copy of each key. This is critical to meet requirements that may govern data retention and data destruction. Destroying all keys associated with encrypted data is sufficient to satisfy data destruction requirements, since encrypted data can’t be accessed without the key used to encrypt it.

For example, you may want to track the information about your keys. For suggestions, see the table on page 25.

(25)

Spectra Logic recommends tracking the following information about every key that you create.

Key Moniker:

_______________________ Detailed Information

Number of key copies

______

and location of each copy:

1. 2. 3.

. . . Password(s) associated with

exported copy of the moniker: Location of data stored on mobile media, which has been encrypted using this moniker: Dates of moniker creation and proposed expiration:

(26)

(27)

Spectra T950 and T120 Libraries

Installing Encryption: Upgrading

Y

our Library

If your library uses BlueScale 9.5 firmware or higher, then your library supports BlueScale Encryption that is library-based (handled by QIPs); no firmware upgrade is required for this encryption method. For drive-based encryption, you must install a minimum firmware level of BlueScale 10.0, if it is not already installed.

Check with SpectraGuard®_{Support to see if upgrades to this firmware should be installed for}

your library.

Encryption is handled either through the library or through LTO-4 drives. Configuring encryption and managing encryption keys are handled through the LC or RLC.

1. Make sure that you have the appropriate library hardware installed:

• A QIP that supports encryption (such as the G3 or G5 F-QIP) or

• An LTO-4 tape drive is installed and LTO-4 media loaded or

• Both are installed and LTO-4 media loaded if you intend to use drive-based encryption for a partition with both types of hardware installed.

If you intend to use library-based encryption, any type of supported media can be loaded.

2. Update your library firmware level to BlueScale 9.5 or higher. See the description

above for more information.

Note that the firmware upgrade may require up to twelve minutes or more to complete, during which time the library enters a quiescent state.

Warning: Do not turn off the library once you begin the firmware upgrade.

(28)

Activating Encryption

Once your library has an encryption-enabled QIP installed, or an LTO-4 tape drive installed and LTO-4 media loaded, you can activate encryption with a BlueScale Encryption key.

To activate encryption for the Spectra T950 and T120 libraries:

1. Log in as superuser and then select Configuration

>

System. The System Setup

screen displays.

2. To enable encryption, enter the BlueScale Encryption activation key in the Key field

(circled above) and then select Save.

The screen refreshes to show Encryption in the list of activated keys. Encryption is now activated and can be configured.

(29)

Next Steps

Once you have activated BlueScale Encryption, you can configure and use it.

Configuration

Encryption configuration entails selecting an encryption mode and creating one or more encryption passwords (the number of passwords depends on if you have BlueScale Standard Edition or BlueScale Professional Edition). The encryption password enables you to access the encryption features.

Configuring encryption is described in Configuring Encryption on page 30 for BlueScale Standard Edition and Configuring Encryption on page 47 for BlueScale Professional Edition.

Accessing and Using Encryption Features

To access BlueScale Encryption features, the following steps are required for every session (that is, every time a user logs in using the library front panel or every instance of running the RLC through a Web browser).

• A user with superuser privileges logs in and selects Security

>

Encryption.

The Encryption User Login screen displays.

• A user who is entrusted with the password(s) enters an encryption password in the Password field, then selects OK.

The Encryption Configuration screen that enables access to all encryption features displays.

Note that security is greatly enhanced when the user who knows the password is different than the one logging into the system. If you have three passwords, consider having different individuals responsible for each password.

Working with the encryption features is described in Using Encryption on page 30 for BlueScale Standard Edition and Using Encryption on page 45 for BlueScale Professional Edition.

(30)

T950 and T120 Libraries

Using Encryption

Once BlueScale Encryption is configured on your library, configure your backup software so that data to be encrypted while it is backed up is sent to a partition that has encryption enabled and has been assigned an encryption key.

Restoring data is also transparent. If the encryption key required to decrypt the data is not on the library, the library displays the moniker of the key to import. Restoring Data on page 40 contains information about data restoration.

Configuring Encryption

Accessing Encryption Features

for the First Time

1. Log in as a superuser, then select Security

>

Encryption. The

Encryption User Login screen displays.

2. Select OK. No login or password is

required the first time you log in. The Encryption Configuration screen displays.

(31)

Configuring Encryption

1. From the Encryption Configuration screen, select Configure. The Encryption Settings

screen displays.

2. Configure how you want the library to be used:

• Standard Mode: When the library is powered on during startup, data can be

backed up to partitions that support encryption without entering an encryption password.

• Secure Initialization Mode: When the library is powered on during startup,

partitions dedicated to encryption are not available, so backups sent to them cannot run. To initialize the encryption partitions, someone must log in as a superuser, then enter the encryption password.

To use Secure Initialization Mode, select Enable Secure Initialization.

(32)

3. In the New Encryption User Password field, type in a password, using any combination

of the numbers 0-9, lower and upper case alphabetic characters (a-z and A-Z), and the at sign (@), dash (-), underscore (_), and colon (:) characters.

4. Re-enter the password in the Retype Password field, then select OK.

The Encryption Configuration screen again displays.

At this point, no encryption key has been created, so no key moniker displays, as illustrated in the screen below.

(33)

Creating an Encryption Key

1. From the Encryption Configuration

screen, select Add Key. The New Encryption Key screen displays.

2. Enter a name in the Moniker field

that has not been used for any other encryption key, and that uses any combination of the numbers

0-9, lower and upper case

alphabetic characters (a-z and A-Z), and the at sign (@), dash (-), and colon (:) characters.

Use an underscore character instead of an empty space to separate characters.

This moniker is the name that you will use to reference the key.

Note that the real key value never displays and that administrators don’t ever need to specify the real key value in order to encrypt data or manage keys. The moniker helps to protect data encrypted using the key; it does so by making sure that the true key value isn’t displayed.

Rules for Creating Monikers

• Each moniker must be a unique string of characters, independent of case. • Make a habit of using a single case (all upper or all lower) for monikers. After

export, case is ignored, so that keys associated with the monikers Moniker1, moniker1, and MONIKER1 are interpreted as a single key. If you have two monikers that are identical except for case, then you may not be able to retrieve some of your data after importing such a key.

(34)

3. Select OK.

The Encryption Configuration screen displays, showing the key moniker, along with its creation time and date and a message reminding you to create a copy of the key for safekeeping.

If the key is lost, data cannot be recovered, so promptly copying the key and storing it safely (that is, away from the data encrypted using the key) is extremely important to data decryption and recovery. This is covered in Protecting Keys on page 37.

Because the key, identified by its moniker, isn’t yet assigned to a partition—that is, used by a partition to encrypt data—None is listed in the Primary Key For column. Also, because BlueScale Standard Edition only supports using one key, the Import Key and Add Key selections no longer display. If you delete the key, they display again.

(35)

Assigning a Key to a Partition

After creating a key, you can assign it to one or more library partitions when adding or editing a partition through the partition configuration wizard.

The Encryption screen for partition configuration lets you enable encryption for the partition. It only displays if the encryption password has been entered and there is at least one key available on the library.

Depending on your library and partition configuration, you may have up to three choices available on the partition configuration encryption screen:

• No encryption

• QIP-based encryption

• LTO-4 drive-based encryption

Partitions with encryption-enabled QIPs offer an additional option: Enable Clear File at BOT. Choose this option if you want to enable all drives to be able to read the headers of encrypted tapes, which is a useful option for sites with a large number of tapes to manage.

To assign a key to a partition:

1. Log in as a superuser, then select Security

>

Encryption. The Encryption User

Login screen displays.

2. Enter the encryption password, then select OK.

3. Select Configuration

>

Partitions. The Shared Library Services screen displays. 4. Select New to add a partition, or select Edit to modify the settings for an existing

partition.

5. Navigate through the partition configuration screens by selecting Next until the

Encryption screen displays.

6. If the partition can support encryption, the encryption choices that display and are

available depend on the hardware for the partition.

Note that the content of the Encryption screen varies accordingly. See the options described on the next page.

(36)

• To encrypt data using the QIP, select QIP-based Encryption.

Also, if you want readable (that is, non-encrypted) data at the beginning of the tape, also select Enable Clear File at BOT.

– or –

• Select Drive-based Encryption.

– or –

If the data written through this partition does not need to be encrypted, make sure the

(37)

7. Navigate through the remaining partition configuration screens by selecting Next. 8. Once the Save Partition screen displays, select Save.

All data sent to this partition will be encrypted, using the key currently active on the library.

Protecting Keys

Data cannot be recovered without the encryption key used to encrypt the data, so protecting encryption keys is extremely important to data decryption and recovery.

Protect encryption keys by:

• Making copies of every key through Key Export • Storing the keys in a secure location

• Tracking the location of the keys and the passwords required to import them

Protect your keys by making sure that copies of the keys reside elsewhere. Two methods are available for key export: copying the encrypted key to a USB device, and emailing an

encrypted version of the key as an attachment to a user who has been configured as a mail user through the library.

Best practices recommend storing keys offsite in a location other than the site used for media storage. Confirm that the key is stored correctly on the USB device or has been received by the intended recipient before deleting the key from your system. If you delete the key, you must import the key to decrypt the data. Importing keys is described in Importing Keys on page 41. You may want to make two copies of a key, storing each in a secure location. Note the location of these keys, so that you can easily find the key when you need to restore or delete data.

(38)

Exporting Encryption Keys

To export the current encryption key:

>

2. Enter the encryption password, then select OK. The Encryption Configuration screen

displays.

3. Select Export Key. The Export Type screen displays.

4. Select either Export Single File to USB or Email Exported Key.

•If you select Export Single File to USB, plug a USB device into the USB library port

(see the library documentation for information about the location of this port). Then, select Next.

•If you select Email Exported Key, select an email user from the Mail single key file

to drop-down menu.

To send the key to a user who isn’t listed as a library user, you must first create the email recipient. For instructions on how to do this, see the library’s user guide.

5. After you either insert the USB device or select an email alias, select Next. 6. Enter a password, which is used to encrypt the key.

(39)

7. Note the password, which you will need to import the key. Without it, you cannot

import the key, and the data encrypted using the key is lost.

8. Select Next.

•If you exported the key to a USB device:

Confirm that the encrypted key copied correctly by selecting Check Key Files. If you are not sure, delete all data from the USB device so that no trace of the failed key attachment remains, then use another USB device and start again with Step 2 above.

•If you exported the key using email:

Confirm the receipt of the attachment by checking with the user to whom you sent the encrypted key file.

Caution:Make sure you track, in conformance with your security plan, where

you have stored the key or who received an email message with the key. You need the password created when exporting the key and the encrypted file containing the key to import the encryption key.

(40)

Deleting a Key

To use a new key to encrypt data, you must first delete the existing key. Then you can create the new key and assign it to one or more partitions. Note that you will need a copy of the existing key to restore data that was encrypted with the existing key.

With drive-based encryption, only one key is allowed per LTO-4 tape. To use a tape encrypted with a deleted encryption key, you must first scratch the tape through BlueScale Encryption. This procedure is described in Chapter 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries on page 68.

To delete a key:

>

displays.

3. Confirm that at least one copy of the key has been exported and stored safely. 4. Select Delete Key and respond to the confirmation screens to delete the key.

Restoring Data

Restoring encrypted data from tape follows the standard data restore processes that you use with your backup software. The only difference is that the key used to encrypt the data being restored needs to be on the library and assigned to the partition with the encrypted media, so the data can be decrypted. If the key is available, standard restore procedures simply work. If the key isn’t on the library, the library displays the moniker of the key to import. You can use the key moniker to identify the key, then import the key from a USB device or through the RLC. You also need the password used to encrypt the key when it was exported.

Endura Decryption Utility (EDU) is an optional safeguard, providing a method that lets you restore data without a library. Review information about the command-line encryption utility in Chapter 11. Endura Decryption Utility.

(41)

Restoring Data if Required Key is Available

If the right key isn’t available on the library when you need to restore encrypted data, the library prompts you with the moniker of the key that is required to decrypt the data. You can then import the key so that it is on the library as long as there isn’t already a key on it (if there is, delete the existing one first). After you assign it to the partition with the encrypted media, it is available for decryption.

If you don’t have a library available and need to restore the key, you need the password created when exporting the key, the key, and the command-line encryption utility described in Chapter 11. Endura Decryption Utility, along with a Linux computer to run the utility.

To restore data:

1. Load the tape to be decrypted.

2. Assign the key to the partition with the tape if it is not already assigned to it. 3. Use the backup software to automatically decrypt and restore data.

If the key is not available, a message indicates this. To import a key so that you can restore data, continue to the next set of steps.

Importing Keys

If the key is not available on the library, you can import it from a USB device or through the RLC. The RLC option only displays if you are logged in remotely. See the following sections for details instructions:

• Importing Keys from a USB Device and Restoring Data on page 42 • Importing Keys through the RLC and Restoring Data on page 43

(42)

Importing Keys from a USB Device and Restoring Data

To import a key stored on a USB device:

>

displays.

3. Insert the USB device into the library’s USB port.

4. Select Import Key. The Import Key Selection screen displays.

5. Choose the key to import from the Key List field, then select Next. The Import

Password screen displays.

6. Enter the password that was used to encrypt the key when it was being exported, then

select Next.

The Encryption Configuration Import Password screen displays, showing the moniker of the newly imported key.

7. Assign the imported key to the partition with the encrypted media. 8. Use your backup software to restore the data.

(43)

Importing Keys through the RLC and Restoring Data

You can import keys using the RLC if you can access the key from your computer. To import a key using the RLC:

>

displays, showing Import Key and Add Key.

3. Select Import Key. The Encryption Key Files Source screen displays. Note that this

(44)

4. Select Import key from RLC, then select Next. The RLC Encryption Key Upload screen

displays.

5. To identify the key file, either

• Type in the full path and file name in the Encryption Key File field.

• Select Browse. Locate and select the key, then select Open. The path for the key displays in the Encryption Key File field.

6. Select Next. The Import Password screen displays.

7. Enter the password that was used to encrypt the key when it was being exported, then

select Next.

The Encryption Configuration Import Password screen displays, showing the moniker of the newly imported key.

8. Assign the imported key to the partition with the encrypted media. 9. Use your backup software to restore the data.

(45)

T950 and T120 Libraries

Using Encryption

Once BlueScale Encryption is configured on your library, configure your backup software for your encrypted backups. the software sends the data to be encrypted to a partition that has encryption enabled and that has been assigned an encryption key. Encryption during backup is transparent—it happens automatically.

Restoring data is also transparent. If the encryption key required to decrypt the data is not on the library, the library displays the moniker of the key to import. Once the key is on the library and applied to the partition with the encrypted media, the data restores without requiring additional steps. Restoring Data on page 63 contains more information about data

(46)

Professional Edition Overview

Professional Edition supports multiple keys on the library simultaneously. Each partition that is enabled for encryption uses one key to encrypt data backed up through that partition. To streamline decryption, you can further configure the system to associate multiple monikers with a single partition. When you need to restore data, the Endura Key Management software looks at the keys you’ve assigned to the partition for both encryption and decryption. If it finds the right key, that key is used. If a key is required that isn’t assigned to the partition, the software displays the moniker of the key it needs to decrypt and restore the data.

For example, a single tape or RXT pack may contain data encrypted using multiple keys (that is, during Week 1, the data is encrypted with Key1; during Week 2,the key is Key2 and so on). You may want to keep Key1 on the library for decryption only, while Key2 is used to encrypt data currently written through that partition. Key2 is automatically used for decryption as needed.

Best practices recommend that you track keys associated with data on the media, so that you can readily decrypt and restore data.

Library-based Encryption

Professional Edition provides additional advantages for partitions that encrypt data through a QIP:

• Compression

• Rapid decryption of data on a single tape

Compression greatly reduces the number of tapes required to store encrypted data and reduces the time that it takes to back up data.

(47)

Configuring Encryption

Accessing Encryption Features

To access encryption features:

>

2. Select OK. No login or password is required the first time you log in. The Encryption

(48)

Configuring Encryption Features

To configure encryption features:

1. From the Encryption Configuration screen, select Configure. The Encryption Users

screen displays.

2. Select either:

• Single User Mode: Requires one encryption password to access all encryption

features.

• Multi-User Mode: Requires three unique encryption passwords. Once you have set

up the three passwords, use them as follows:

– Enter any one of the three to permit a library in Secure Initialization mode to initialize encryption when the library is starting up and to otherwise access most encryption features, excluding export and import encryption features.

– Enter a second password, when prompted, to access export and import encryption features.

(49)

3. Select Next. The Encryption Settings screen displays.

Note: If you selected Single User Mode, only one set of New Encryption

User Password and Retype Password fields display.

4. Configure how you want the library to be used:

• Standard Mode: When the library is powered on, data can be backed up to partitions

that support encryption without entering an encryption password.

• Secure Initialization Mode: When the library is powered on, partitions dedicated to

encryption are unavailable, so those backups do not run. To initialize encryption partitions, someone must log in as a superuser and enter the encryption password. To use Secure Initialization Mode, select Enable Secure Initialization.

(50)

5. Enter the number of passwords requested, using any combination of the numbers 0-9,

lower and upper case alphabetic characters (a-z and A-Z), and the at sign, dash, underscore, and colon characters (@-_:).

6. Enter each password again in the Retype Password field.

7. When all passwords have been entered, select OK. The Encryption Configuration

(51)

Creating an Encryption Key

1. From the Encryption Configuration screen, select Add Key. The New Encryption Key

screen displays.

2. Enter a name in the Moniker field that has not been used for any other encryption key,

and that uses any combination of the numbers 0-9, lower and upper case alphabetic characters (a-z and A-Z), and the at sign (@), dash (-), underscore (_), and colon (:) characters. Use an underscore character instead of a space to separate characters. This name references

the key.

The real key value never displays, and administrators don’t need to specify the real key value to encrypt data or manage keys. The moniker protects encrypted data by making sure that the true key value isn’t

Rules for Creating Monikers

• Each moniker must be a unique string of characters, independent of case.

• Make a habit of using a single case (all upper or all lower) for monikers. After export, case is ignored, so that keys associated with the monikers

Moniker1, moniker1, and MONIKER1 are interpreted as a single key. If you have two monikers that are identical except for case, then you may not be able to retrieve some of your data after importing such a key.

(52)

3. Select OK.

The Encryption Configuration screen displays, showing the key moniker, along with its creation time and date and a message reminding you to create a copy of the key for safekeeping.

If the key is lost, data cannot be recovered, so copying the key and storing it safely is extremely important to data decryption and recovery.

Because the key, identified by its moniker, isn’t yet assigned to a partition—that is, used by a partition to encrypt data—None is listed under Primary Key For and Decryption-Only Key For.

After you create a key, it’s very important the you create a copy of it, as covered in Protecting Keys on page 57.

(53)

-Assigning a Key to a Partition

After creating keys, you can assign one primary encryption key to each library partition. You can also specify multiple decryption-only keys.

Displaying the Partition Configuration Encryption Screen

You can assign keys to a library partition when adding the partition or editing its settings through the partition configuration wizard.

The Encryption screen for partition configuration lets you to enable encryption for the partition and associate keys with it. It only displays if the encryption password has been entered and there is at least one key available on the library.

Depending on your library and partition configuration, you may have up to three choices available on the partition configuration encryption screen:

• No encryption

• QIP-based encryption

• LTO-4 drive-based encryption

Partitions with encryption-enabled QIPs offer additional options: Enable Compression and

Enable Clear File at BOT. Choose compression if you want to use less media by backing up

more data to each tape. Choose the file clearing option if you want to enable all drives to be able to read the headers of encrypted tapes. These options do not display for drive-based encryption because those functions are handled by the drive, not by BlueScale Encryption. To display the Encryption screen:

1. Log in as superuser, then select Security

>

Encryption. The Encryption User Login

screen displays.

2. Enter the encryption password, then select OK.

3. Select Configuration

>

Partitions. The Shared Library Services screen displays. 4. Choose a partition and select Edit.

5. Navigate through the partition configuration screens by selecting Next until the

(54)

Associating Keys with a Partition

If the partition can support encryption, the encryption choices that display and are available depend on the hardware for the partition. The content of the Encryption screen varies accordingly.

With drive-based encryption, only one encryption key is allowed per LTO-4 tape. If you associate a different encryption key with a partition, you must first scratch tapes encrypted with the previous key to re-use them. Refer to Chapter 6. Recycling Encrypted LTO-4 Media in Spectra T950 and T120 Libraries on page 68 for more information.

To associate keys with a partition:

1. If the partition can support encryption, these encryption choices display:

• QIP-based Encryption — to encrypt data using the QIP.

• If you want readable (that is, non-encrypted) data at the beginning of the tape,

select Enable Clear File at BOT.

(55)

– or –

• Drive-based Encryption — to encrypt data using the drives.

– or –

If the data written through this partition does not need encryption, make sure that you select the No Encryption option.

2. Select the key to use to encrypt data. Only one key can be assigned as the active

encryption key.

3. From the list of keys at the bottom of the screen, select none, one, or more keys to be

associated with this partition and for use in decrypting data through this partition.

Note: Keys selected for data decryption are not used for encryption.

4. Navigate through the remaining partition configuration screens by selecting Next.

(56)

6. When you display the Security

>

Encryption screen, the results of the key

assignment are listed.

In this example, the key Bob is used as the active (primary) encryption key for both Partition 1 and Partition 2. The key Jeff is kept available for rapid data decryption for data restored using library partitions one and two.

7. To assign this or another key to another partition, select the partition through the